Skip to main content

Léonie WordPress Theme EUVD-2026-37490

| CVE-2026-40758 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-16 Patchstack
PHP Deserialization L Onie
8.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Network-reachable unauthenticated deserialization (AV:N/PR:N/UI:N); AC:H reflects dependency on a viable POP gadget chain in the host WordPress stack; full CIA impact via RCE.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 23:30 vuln.today

DescriptionCVE.org

Unauthenticated PHP Object Injection in Léonie <= 1.2.1 versions.

AnalysisAI

Unauthenticated PHP Object Injection in the Léonie WordPress theme (versions ≤ 1.2.1) by Elated Themes allows remote attackers to deserialize attacker-controlled data, potentially leading to arbitrary code execution, file manipulation, or full site compromise when a suitable POP gadget chain exists in the WordPress stack. Reported by Patchstack and tracked as EUVD-2026-37490, with no public exploit identified at time of analysis but a high CVSS score of 8.1 reflecting the severity of unauthenticated deserialization. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify Léonie theme on target
Delivery
Craft serialized POP gadget payload
Exploit
Send unauthenticated HTTP request
Install
Trigger unserialize() in theme
C2
Execute gadget chain magic methods
Execute
Achieve RCE or file write
Impact
Establish webshell persistence
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the Léonie WordPress theme version 1.2.1 or earlier to be installed and active on a reachable WordPress site, with the attacker able to send HTTP(S) requests to the vulnerable theme endpoint that passes input into unserialize(). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, score 8.1) indicates a network-reachable, unauthenticated flaw with no user interaction but high attack complexity - the AC:H likely reflects the need to identify a usable POP gadget chain within the target's WordPress stack. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a WordPress site running the Léonie theme and crafts a malicious serialized PHP payload combining a class from WordPress core or a bundled plugin into a POP gadget chain. The attacker submits this payload over HTTP/HTTPS to the vulnerable theme parameter; upon unserialize(), the chain triggers arbitrary file writes or PHP code execution, granting the attacker a webshell and full site control. …
Remediation No vendor-released patch version is identified in the provided data; defenders should consult the Patchstack advisory at https://patchstack.com/database/wordpress/theme/lonie/vulnerability/wordpress-leonie-theme-1-2-1-php-object-injection-vulnerability for the fixed release once published by Elated Themes, and upgrade to any version above 1.2.1. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Audit all WordPress installations to identify instances of Léonie theme version 1.2.1 or earlier and assess available POP gadget chains in installed plugins. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

EUVD-2026-37490 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy